php-date-formatter Prototype Pollution Vulnerability Leading to Denial-of-Service

A prototype pollution vulnerability has been identified in the php-date-formatter library, specifically in version 1.3.6. This vulnerability allows attackers to manipulate the global prototype chain by supplying a crafted payload, potentially leading to a denial-of-service condition. Furthermore, if the injected properties interact with sensitive Node.js APIs, it could escalate to more severe injection-based attacks, such as executing arbitrary commands within the application's context.

Impact

Exploitation of this vulnerability causes a denial-of-service condition. However, it also introduces the risk of more severe injection-based attacks, depending on how the library is used within the application.

Reproduction

The vulnerability can be reproduced by importing the php-date-formatter library and using the 'parse' function to send a payload that includes an Object.prototype setter. This action modifies the prototype of the global object, which can be verified by checking the prototype of a new object before and after the attack. The pollution can then be observed by accessing the modified prototype, which will reflect the changes made by the crafted payload.